|
|
|||||||
Here's a script I've written, I've gathered all MS's VB scripts on scripting ACL's and written this. This script has 2 improvements over AdsSecurity.dll 1. It doesn't need AdsSecurity.dll 2. It handles inheritance properly. Although microsoft also claims thats with IADsSecurityUtility there is no need for ReOrdering anymore, I beg to differ. When using this script on a remote computer it sets the permissions correctly but after using the script, create a subfolder and open the properties tab on the permissions and you will get the notice that the order is not correct. Update: inheritance works correctly if the parent's list of ACL's are in the correct order. However I still feel that this is the best utility to use since it sets permissions easier and better the calcs,xcacls,SetACL and AdsSecurity.dll besides it is incorporated in Windows XP and higher (unfortunately not on Windows 2000). Anyway without further ado, here's the code: Code:
[update] Changes many parts of the code. It works properly now, inheritance and all, problem resided in the server shares I tested the ACL order wasn't correct in the first place. This UDF isn't a miracle worker, when ACL's are proper in the first place this UDF will work properly. If not then it will not. I've tested this setting permissions on other workstations in my domain like "\\PC-1\c$\temp" and that worked without problem. Added improvements over the last version, this will be the final version for now it works with all commands and i'll post it to the UDF's as is. Next version will have Share Permissions. [/update] |
||||||||
|
|
|||||||
linking to the "original" thread: http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Board=UBB13&Number=154513 |
||||||||
|
|
|||||||
Most of us know that there are several ways to use programming/scripting to set NTFS security details on files and folders such as cacls.exe, xcacls.exe, xcacls.vbs, AdsSecurity.dll and the most recent (incorporated in XP and 2003) ADsSecurityUtility. I chose ADsSecurityUtility after the problems with the above mentioned. This by far works best imo. The only problem I have in the order of inherited aces. I'll tell you first when the problem occurs. It occurs when you select a folder on a remote computer in the network even a folder on the server for instance: \\Server01\Share$\folder. It doesn't occur when you do in on your own computer in the network for instance \\LocalXP\c$\folder. The permissions on the Set folder are in perfect order (well perfect...) but once set, and you create a subfolder and look at the permissions on it they are out of order (windows says so) The code itself is very sound. The only thing I need to know is the correct AceFlags to set permissions so the problems does NOT occur on \\Server01\Share\folder. Can anyone please help me out ? [edit] Removed the code, I'll post the changes in the first post. [/edit] |
||||||||
|
|
|||||||
This is one of the more interesting threads I've seen in a while. Following along with much interest - currently setting myself to test and (hopefully) follow along . |
||||||||
|
|
|||||||
Thx Shawn Story so far: 1. The code itself is sound, although a W.I.P. function, The ace's attibutes are currently set so FOLDER permissios are (attemptingly) correctly set. I'll worry about FIle and Registry perms later. 2. The problem resides in the Ace Flags, they are correctly done on the local computer (even if you called it like "\\MyPc\share$\folder) on which you execute the script, but on a remote computer in the same domain the inheritance is wrong. 3. Apparantly extensive knowledge of Ace Flags are needed, if you test this code and you are trying to get this to work, my advice is to UN register AdsSecurity.dll if you have it registered to avoid conflicts. 4. If this is resolved we could have the first fully working UDF for NTFS Security scripting |
||||||||
|
|
|||||||
well tbh - I'm having trouble getting it to work right now. I dont have a server to use so I setup a share on a remote workstation (that shouldn't be an issue ja?). Made a couple of changes to your function for my own benefit. 1) Removed the MessageBox output and just slapped in some ? "..." type console messages. 2) Currently my $oADsSecurityUtility.SetSecurityDescriptor call is failing with the ubiquitous COM "unspecified error" right now. However, your UDF is not trapping this and ends up just returning an errorlevel 0 (i know this is a wip though) ... Still plugging away. |
||||||||
|
|
|||||||
Hi Arend, I'd like to help out, but this process actually can be quite time consuming as I'm sure you've seen, and I'm working on too many other projects at the moment to take on something like this. However, don't forget that XCACLS.VBS (Though large in size) does work properly so you might be able to review that code to help determine where you might be going wrong. If I get a bit of free time I'll try to dig into it a little bit and help out further. Good luck guy. |
||||||||
|
|
|||||||
Ron - can we MSN tonight and hopefully you can give me the scoop on how to set this up properly ja. |
||||||||
|
|
|||||||
Shawn: 1. Shouln't be a problem. 2. The script will only work on XP/2003 since the IADSSecurityUtility is only implemented on those OS's so 2000 won't work if you're on 2000. NTDOC: Thats ok, thanks for you're advice ill have a look at the FLags in XCACLS.VBS |
||||||||
|
|
|||||||
I'm going XP PRO -> XP PRO |
||||||||
|
|
|||||||
I know my UDP processing arguements is rather primitive at the moment, but please try to use it exactly as it is mentioned like this: Code:
|
||||||||
|
|
|||||||
Shawn, maybe your Activeds.dll isn't registered. (It comes standard in XP and 2003) |
||||||||
|
|
|||||||
shawn is purely XP guy, so don't think that's the case. |
||||||||
|
|
|||||||
could you retrieve the $oADsSecurityUtility.SetSecurityDescriptor errornumber ? I had it a few times in the beginning with AdsSecurity.dll, error was something like -2124324. Which means that the Ace you're trying to add can't be found. |
||||||||
|
|
|||||||
I've read trough the XCACLS.VBS code at first I wanted to translate it but reading half way trough I lost interest in that since it's too much code for what it does imo. Besides I think it takes a different approach to what im trying to do. I'm still trying to figure it out and as soon as I find something I'll post it here. |
||||||||
|
|
|||||||
Well I'm not sure if you've seen these documents or not so I'll post the links. As far as reordering not being needed I don't see how that can be unless they're claiming that they somehow check and fix that automatically within the DLL which is difficult to believe. access control entry (ACE) An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited. discretionary access control list (DACL) An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. ACE Inheritance Rules http://msdn.microsoft.com/library/defaul...tance_rules.asp Order of ACEs in a DACL http://msdn.microsoft.com/library/defaul...s_in_a_dacl.asp Automatic Propagation of Inheritable ACEs http://msdn.microsoft.com/library/defaul...itable_aces.asp |
||||||||
|
|
|||||||
I knew we have discussed this topic before.. Maybe not to this degree. But, I do know that I have talked about this with Shawn before. Kent: Review a WSH script - Part Deux Re: OFF TOPIC - Shawn can you review a WSH script for me? And... We can find where it all comes from too - Apply File And Directory Permissions... ( Vbscript ) Kent |
||||||||
|
|
|||||||
NTDOC: thx for the links, from what I gather the inheritance order isn't set correctly and can only be properly done with "SetEntriesInAcl" which cannot be used in a Low Level programming language. kdyer: indeed, I've tried this a year ago, remember I translated your unworking version of ChangeACLs to a working version ChangeACLS http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=131714&page=0&fpart=all&vc=1 |
||||||||
|
|
|||||||
Small update: I can confirm now that with IADsSecurity adding an Ace to an existing Dacl will have the order of aces set correctly. However the order is not pushed down the chain, eventho you can script it so it pushes the permissions to every subfile and folder the problem begins when a new folder is created after the permissions are set. I still cannot figure out why this is happening. In the GUI of windows security there is the option to have every file created after the setting of the permissions to inherit the perms and order. However I cannot find this option in IADsSecurity or AdsSecurity as of yet. This is the last option we need, if this is figured out the finally permissions can be safely scripted. Nonetheless permisions can be perfectly scripted with the above code (although not yet completed) on files since tehre are no inheritance rules on that. |
||||||||
|
|
|||||||
Small Update 2: Updated the code some, Select for too much if's. Added better error handling. [edit] Small Update 3: After spending yet a few hours on this, I can confirm the problem resides in the AceFlags. I've tried numerious combinations and continue to test this. [/edit] |
||||||||
|
|
|||||||
Big Update. After spending last night on this, I've figured out what the problem was. There is no need to set permisssions different on folder then you would do on files. The problems I kept having were related to the serer shares I tried them on. They weren't correct in the first place. I've since then tried setting perms on different workstations in my domain for instance "\\PC-1\c$\Temp" and there it worked perfectly, inheritance, order and everything. So the UDF got some overhaul and it nearing completion. Once I'm satisfied with it I'll submit it to the UDF's. |
||||||||
|
|
|||||||
Updated: see the first post Edit4 |
||||||||
|
|
|||||||
So you saying this is about ready for some testing with Shawn's RUNNAS utility now? |
||||||||
|
|
|||||||
RUNNAS... are you nuts? |
||||||||
|
|
|||||||
ROFLMAO - I knew that would drag you out |
||||||||
|
|
|||||||
Not sure what you mean by testing it with RUNNAS but yeah, running this script as a network administrator will give you the best results off course. Besides I would love to get input of people using this script. I've also tested this script on a single XP machine using UNC path's to it's own C drive and works properly there as well. |